MSFT_MpPreference class

Windows Defender Preferences Class

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.

Syntax

class MSFT_MpPreference
{
  string   ComputerID = msft_mppreference.xml;
  boolean  DisableAutoExclusions = FALSE;
  string   ExclusionPath[];
  string   ExclusionExtension[];
  string   ExclusionProcess[];
  uint32   QuarantinePurgeItemsAfterDelay;
  uint8    RealTimeScanDirection = 0;
  uint8    RemediationScheduleDay;
  DateTime RemediationScheduleTime;
  uint32   ReportingAdditionalActionTimeOut;
  uint32   ReportingCriticalFailureTimeOut;
  uint32   ReportingNonCriticalTimeOut;
  uint8    ScanAvgCPULoadFactor;
  boolean  CheckForSignaturesBeforeRunningScan;
  uint32   ScanPurgeItemsAfterDelay;
  boolean  ScanOnlyIfIdleEnabled;
  uint8    ScanParameters;
  uint8    ScanScheduleDay;
  DateTime ScanScheduleQuickScanTime;
  DateTime ScanScheduleTime;
  uint32   SignatureFirstAuGracePeriod;
  uint32   SignatureAuGracePeriod;
  string   SignatureDefinitionUpdateFileSharesSources;
  boolean  SignatureDisableUpdateOnStartupWithoutEngine;
  string   SignatureFallbackOrder;
  uint8    SignatureScheduleDay;
  DateTime SignatureScheduleTime;
  uint32   SignatureUpdateCatchupInterval;
  uint32   SignatureUpdateInterval;
  uint8    MAPSReporting;
  uint8    SubmitSamplesConsent;
  boolean  DisablePrivacyMode;
  boolean  RandomizeScheduleTaskTimes;
  boolean  DisableBehaviorMonitoring;
  boolean  DisableIntrusionPreventionSystem;
  boolean  DisableIOAVProtection;
  boolean  DisableRealtimeMonitoring;
  boolean  DisableScriptScanning;
  boolean  DisableArchiveScanning;
  boolean  DisableCatchupFullScan;
  boolean  DisableCatchupQuickScan;
  boolean  DisableEmailScanning;
  boolean  DisableRemovableDriveScanning;
  boolean  DisableRestorePoint;
  boolean  DisableScanningMappedNetworkDrivesForFullScan;
  boolean  DisableScanningNetworkFiles;
  boolean  UILockdown;
  sint64   ThreatIDDefaultAction_Ids[];
  uint8    ThreatIDDefaultAction_Actions[];
  uint8    UnknownThreatDefaultAction;
  uint8    LowThreatDefaultAction;
  uint8    ModerateThreatDefaultAction;
  uint8    HighThreatDefaultAction;
  uint8    SevereThreatDefaultAction;
};

Members

The MSFT_MpPreference class has these types of members:

  • Methods
  • Properties

Methods

The MSFT_MpPreference class has these methods.

Method Description
Add

TBD

Remove

TBD

Set

TBD

 

Properties

The MSFT_MpPreference class has these properties.

CheckForSignaturesBeforeRunningScan

Data type: boolean

Access type: Read-only

When set, Windows Defender will check for new signatures before running a scan. If new signatures are found they will be downloaded and installed before the scan begins. If no new signatures are found, the scan will start based on the existing signatures.

ComputerID

Data type: string

Access type: Read-only

Computer ID created by MAPS

DisableArchiveScanning

Data type: boolean

Access type: Read-only

Disable archive scanning.

DisableAutoExclusions

Data type: boolean

Access type: Read-only

Beginning in Windows 10: Allows an administrator to specify if the Automatic Exclusions feature for Server SKUs should be turned off.

DisableBehaviorMonitoring

Data type: boolean

Access type: Read-only

Disable behavior monitoring.

DisableCatchupFullScan

Data type: boolean

Access type: Read-only

Disable catch-up full scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

DisableCatchupQuickScan

Data type: boolean

Access type: Read-only

Disable catch-up quick scan. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

DisableEmailScanning

Data type: boolean

Access type: Read-only

Disable email scanning.

DisableIntrusionPreventionSystem

Data type: boolean

Access type: Read-only

Disable intrusion prevention system.

DisableIOAVProtection

Data type: boolean

Access type: Read-only

Disable IOAV protection.

DisablePrivacyMode

Data type: boolean

Access type: Read-only

Disable the privacy mode.

DisableRealtimeMonitoring

Data type: boolean

Access type: Read-only

Disable real-time monitoring.

DisableRemovableDriveScanning

Data type: boolean

Access type: Read-only

Disable removable drive scanning.

DisableRestorePoint

Data type: boolean

Access type: Read-only

Disables restore point.

DisableScanningMappedNetworkDrivesForFullScan

Data type: boolean

Access type: Read-only

Disable running full scan on mapped network drives.

DisableScanningNetworkFiles

Data type: boolean

Access type: Read-only

Disables scanning network files.

DisableScriptScanning

Data type: boolean

Access type: Read-only

Disable script scanning.

ExclusionExtension

Data type: string array

Access type: Read-only

Allows an administrator to explicitly disable a scan from checking any of the extensions listed.

ExclusionPath

Data type: string array

Access type: Read-only

Allows an administrator to explicitly disable a scan from checking any of the paths listed.

ExclusionProcess

Data type: string array

Access type: Read-only

Allows an administrator to explicitly disable a scan from checking any of the processes listed.

HighThreatDefaultAction

Data type: uint8

Access type: Read-only

Default action for high severity threats.

Clean (1)

Quarantine (2)

Remove (3)

Allow (6)

UserDefined (8)

NoAction (9)

Block (10)

LowThreatDefaultAction

Data type: uint8

Access type: Read-only

Default action for low severity threats.

Clean (1)

Quarantine (2)

Remove (3)

Allow (6)

UserDefined (8)

NoAction (9)

Block (10)

MAPSReporting

Data type: uint8

Access type: Read-only

Join Microsoft MAPS.

Disabled (0)

Basic (1)

Advanced (2)

ModerateThreatDefaultAction

Data type: uint8

Access type: Read-only

Default action for moderate severity threats.

Clean (1)

Quarantine (2)

Remove (3)

Allow (6)

UserDefined (8)

NoAction (9)

Block (10)

QuarantinePurgeItemsAfterDelay

Data type: uint32

Access type: Read-only

Indicates how many days items should kept in Quarantine folder before being removed.

RandomizeScheduleTaskTimes

Data type: boolean

Access type: Read-only

This setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.

RealTimeScanDirection

Data type: uint8

Access type: Read-only

Real-time scan direction - Enumeration

Both (0)

Incoming (1)

Outcoming (2)

RemediationScheduleDay

Data type: uint8

Access type: Read-only

Indicates what day of the week to perform the scheduled full scan to complete remediation.

Every Day (0)

Sunday (1)

Monday (2)

Tuesday (3)

Wednesday (4)

Thursday (5)

Friday (6)

Saturday (7)

Never (8)

RemediationScheduleTime

Data type: DateTime

Access type: Read-only

Indicates what time to perform the scheduled full scan to complete remediation.

ReportingAdditionalActionTimeOut

Data type: uint32

Access type: Read-only

Configure timeout for detections requiring additional action.

ReportingCriticalFailureTimeOut

Data type: uint32

Access type: Read-only

Time in minutes for a detection in the 'critically failed' state to move to either 'additional action' or 'cleared' state.

ReportingNonCriticalTimeOut

Data type: uint32

Access type: Read-only

Time in minutes for a detection in the 'failed' state to move to the 'cleared' state.

ScanAvgCPULoadFactor

Data type: uint8

Access type: Read-only

Specify the maximum percentage of CPU utilization during a scan. This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization.

ScanOnlyIfIdleEnabled

Data type: boolean

Access type: Read-only

Run scheduled scans only if system is idle.

ScanParameters

Data type: uint8

Access type: Read-only

Specify the scan type to use for a scheduled scan.

Quick Scan (1)

Full Scan (2)

ScanPurgeItemsAfterDelay

Data type: uint32

Access type: Read-only

Turn on removal of items from scan history folder. This setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed.

ScanScheduleDay

Data type: uint8

Access type: Read-only

Specify the day of the week to run a scheduled scan.

Every Day (0)

Sunday (1)

Monday (2)

Tuesday (3)

Wednesday (4)

Thursday (5)

Friday (6)

Saturday (7)

Never (8)

ScanScheduleQuickScanTime

Data type: DateTime

Access type: Read-only

Specify the time of day to run a scheduled quick scan.

ScanScheduleTime

Data type: DateTime

Access type: Read-only

Specify the time of day to run a scheduled scan.

SevereThreatDefaultAction

Data type: uint8

Access type: Read-only

Default action for severe severity threats.

Clean (1)

Quarantine (2)

Remove (3)

Allow (6)

UserDefined (8)

NoAction (9)

Block (10)

SignatureAuGracePeriod

Data type: uint32

Access type: Read-only

Overrides CheckForSignatureBeforeRunningScan. Aborts any service-initiated update if signature was updated successfully within this amount of time. Time in minutes.

SignatureDefinitionUpdateFileSharesSources

Data type: string

Access type: Read-only

Defines the file shares for downloading definition updates. setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: {\\unc1 | \\unc2 }. The list is empty by default.

SignatureDisableUpdateOnStartupWithoutEngine

Data type: boolean

Access type: Read-only

When set to true, AM Service will not initiate definition update on start-up, regardless of whether an Engine is present or not.

SignatureFallbackOrder

Data type: string

Access type: Read-only

Define the order of sources for downloading definition updates. This setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: 'InternalDefinitionUpdateServer' 'MicrosoftUpdateServer' 'MMPC' 'FileShares'

SignatureFirstAuGracePeriod

Data type: uint32

Access type: Read-only

Aborts any service-initiated update immediately after first install by the configured amount of time.

SignatureScheduleDay

Data type: uint8

Access type: Read-only

Indicates the day of the week in which signature updates occur. If set to zero (0x0) then signature update occurs daily.

Every Day (0)

Sunday (1)

Monday (2)

Tuesday (3)

Wednesday (4)

Thursday (5)

Friday (6)

Saturday (7)

Never (8)

SignatureScheduleTime

Data type: DateTime

Access type: Read-only

Specifies the time at which signature update check happens. By default the signatures are checked before the scheduled scan.

SignatureUpdateCatchupInterval

Data type: uint32

Access type: Read-only

Defines the number of days after which a catch-up signature is warranted. Works with SignatureUpdateLastChecked. 0 = no catch-up; 1 = 1 day; 2 = 2 days, etc.

SignatureUpdateInterval

Data type: uint32

Access type: Read-only

The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).

SubmitSamplesConsent

Data type: uint8

Access type: Read-only

Beginning in Windows 10: For certain samples the service checks for user consent. If the required consent has already been granted, the service submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent when opt-in for MAPS telemetry is set (MAPSReporting != 0).

Always Prompt (0)

Send safe samples automatically (1)

Never send (2)

Send all samples automatically (3)

ThreatIDDefaultAction_Actions

Data type: uint8 array

Access type: Read-only

Default actions for threats upon which default action should not be taken when detected. The actions need to be in the same order as their respective Ids specified in the ThreatIDDefaultAction_Ids property.

Clean (1)

Quarantine (2)

Remove (3)

Allow (6)

UserDefined (8)

NoAction (9)

Block (10)

ThreatIDDefaultAction_Ids

Data type: sint64 array

Access type: Read-only

The Ids of threats upon which default action should not be taken when detected. The actions in ThreatIDDefaultAction_Actions need to be specified in the same order as the Ids in ThreatIDDefaultAction_Ids

UILockdown

Data type: boolean

Access type: Read-only

Enable UI Lockdown mode.

UnknownThreatDefaultAction

Data type: uint8

Access type: Read-only

Default action for unknown threats.

Clean (1)

Quarantine (2)

Remove (3)

Allow (6)

UserDefined (8)

NoAction (9)

Block (10)

Requirements

Minimum supported client

Windows 8.1 [desktop apps only]

Minimum supported server

Windows Server 2012 R2 [desktop apps only]

Namespace

Root\Microsoft\Windows\Defender

MOF

ProtectionManagement.mof

DLL

ProtectionManagement.dll